NGINX: Bump to OpenResty v1.27.1.2.

Author: Gacko

images/nginx/rootfs/build.sh

@@ -32,20 +32,20 @@ export MORE_HEADERS_VERSION=v0.37
 # Check for recent changes: https://github.com/atomx/nginx-http-auth-digest/compare/v1.0.0...master
 export NGINX_DIGEST_AUTH=v1.0.0
 
-# Check for recent changes: https://github.com/SpiderLabs/ModSecurity-nginx/compare/v1.0.3...master
-export MODSECURITY_VERSION=v1.0.3
+# Check for recent changes: https://github.com/SpiderLabs/ModSecurity-nginx/compare/v1.0.4...master
+export MODSECURITY_VERSION=v1.0.4
 
 # Check for recent changes: https://github.com/SpiderLabs/ModSecurity/compare/v3.0.14...v3/master
 export MODSECURITY_LIB_VERSION=v3.0.14
 
-# Check for recent changes: https://github.com/coreruleset/coreruleset/compare/v4.10.0...main
-export OWASP_MODSECURITY_CRS_VERSION=v4.10.0
+# Check for recent changes: https://github.com/coreruleset/coreruleset/compare/v4.15.0...main
+export OWASP_MODSECURITY_CRS_VERSION=v4.15.0
 
-# Check for recent changes: https://github.com/openresty/lua-nginx-module/compare/v0.10.27...master
-export LUA_NGX_VERSION=v0.10.27
+# Check for recent changes: https://github.com/openresty/lua-nginx-module/compare/v0.10.28...master
+export LUA_NGX_VERSION=v0.10.28
 
-# Check for recent changes: https://github.com/openresty/stream-lua-nginx-module/compare/v0.0.15...master
-export LUA_STREAM_NGX_VERSION=v0.0.15
+# Check for recent changes: https://github.com/openresty/stream-lua-nginx-module/compare/v0.0.16...master
+export LUA_STREAM_NGX_VERSION=v0.0.16
 
 # Check for recent changes: https://github.com/openresty/lua-upstream-nginx-module/compare/v0.07...master
 export LUA_UPSTREAM_VERSION=v0.07
@@ -56,17 +56,17 @@ export LUA_CJSON_VERSION=2.1.0.14
 # Check for recent changes: https://github.com/leev/ngx_http_geoip2_module/compare/445df24ef3781e488cee3dfe8a1e111997fc1dfe...master
 export GEOIP2_VERSION=445df24ef3781e488cee3dfe8a1e111997fc1dfe
 
-# Check for recent changes: https://github.com/openresty/luajit2/compare/v2.1-20240815...v2.1-agentzh
-export LUAJIT_VERSION=v2.1-20240815
+# Check for recent changes: https://github.com/openresty/luajit2/compare/v2.1-20250117...v2.1-agentzh
+export LUAJIT_VERSION=v2.1-20250117
 
 # Check for recent changes: https://github.com/openresty/lua-resty-balancer/compare/v0.05...master
 export LUA_RESTY_BALANCER=v0.05
 
 # Check for recent changes: https://github.com/openresty/lua-resty-lrucache/compare/v0.15...master
 export LUA_RESTY_CACHE=v0.15
 
-# Check for recent changes: https://github.com/openresty/lua-resty-core/compare/v0.1.30...master
-export LUA_RESTY_CORE=v0.1.30
+# Check for recent changes: https://github.com/openresty/lua-resty-core/compare/v0.1.31...master
+export LUA_RESTY_CORE=v0.1.31
 
 # Check for recent changes: https://github.com/cloudflare/lua-resty-cookie/compare/f418d77082eaef48331302e84330488fdc810ef4...master
 export LUA_RESTY_COOKIE_VERSION=f418d77082eaef48331302e84330488fdc810ef4
@@ -95,17 +95,17 @@ export LUA_RESTY_REDIS_VERSION=v0.31
 # Check for recent changes: https://github.com/api7/lua-resty-ipmatcher/compare/3e93c53eb8c9884efe939ef070486a0e507cc5be...master
 export LUA_RESTY_IPMATCHER_VERSION=3e93c53eb8c9884efe939ef070486a0e507cc5be
 
-# Check for recent changes: https://github.com/microsoft/mimalloc/compare/v2.1.9...master
-export MIMALOC_VERSION=v2.1.9
+# Check for recent changes: https://github.com/microsoft/mimalloc/compare/v2.2.4...main
+export MIMALOC_VERSION=v2.2.4
 
 # Check for recent changes: https://github.com/open-telemetry/opentelemetry-cpp/compare/v1.18.0...main
 export OPENTELEMETRY_CPP_VERSION=v1.18.0
 
 # Check for recent changes: https://github.com/open-telemetry/opentelemetry-proto/compare/v1.5.0...main
 export OPENTELEMETRY_PROTO_VERSION=v1.5.0
 
-# Check for recent changes: https://github.com/nginx/njs/compare/0.8.10...master
-export NJS_VERSION=0.8.10
+# Check for recent changes: https://github.com/nginx/njs/compare/0.9.0...master
+export NJS_VERSION=0.9.0
 
 export BUILD_PATH=/tmp/build
 

images/nginx/rootfs/patches/05_nginx-1.27.1-stream_ssl_preread_no_skip.patch

@@ -1,10 +1,15 @@
 diff --git a/src/stream/ngx_stream_ssl_preread_module.c b/src/stream/ngx_stream_ssl_preread_module.c
-index e3d11fd9..3717b5fe 100644
+index 3fc83ff2f..7e65d65be 100644
 --- a/src/stream/ngx_stream_ssl_preread_module.c
 +++ b/src/stream/ngx_stream_ssl_preread_module.c
-@@ -159,7 +159,7 @@ ngx_stream_ssl_preread_handler(ngx_stream_session_t *s)
+@@ -190,11 +190,11 @@ ngx_stream_ssl_preread_handler(ngx_stream_session_t *s)
+         }
+ 
+         if (rc == NGX_OK) {
+-            return ngx_stream_ssl_preread_servername(s, &ctx->host);
++            rc = ngx_stream_ssl_preread_servername(s, &ctx->host);
+         }
 
-         rc = ngx_stream_ssl_preread_parse_record(ctx, p, p + len);
          if (rc != NGX_AGAIN) {
 -            return rc;
 +            return rc == NGX_OK ? NGX_DECLINED : rc;

images/nginx/rootfs/patches/28_nginx-1.27.1-CVE-2025-23419.patch

@@ -0,0 +1,87 @@
+diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
+index 3cca57cf5..9593b7fb5 100644
+--- a/src/http/ngx_http_request.c
++++ b/src/http/ngx_http_request.c
+@@ -932,6 +932,31 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
+         goto done;
+     }
+ 
++    sscf = ngx_http_get_module_srv_conf(cscf->ctx, ngx_http_ssl_module);
++
++#if (defined TLS1_3_VERSION                                                   \
++     && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL)
++
++    /*
++     * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+,
++     * but servername being negotiated in every TLSv1.3 handshake
++     * is only returned in OpenSSL 1.1.1+ as well
++     */
++
++    if (sscf->verify) {
++        const char  *hostname;
++
++        hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn));
++
++        if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) {
++            c->ssl->handshake_rejected = 1;
++            *ad = SSL_AD_ACCESS_DENIED;
++            return SSL_TLSEXT_ERR_ALERT_FATAL;
++        }
++    }
++
++#endif
++
+     hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t));
+     if (hc->ssl_servername == NULL) {
+         goto error;
+@@ -945,8 +970,6 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
+ 
+     ngx_set_connection_log(c, clcf->error_log);
+ 
+-    sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module);
+-
+     c->ssl->buffer_size = sscf->buffer_size;
+ 
+     if (sscf->ssl.ctx) {
+diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c
+index ba444776a..6dee106de 100644
+--- a/src/stream/ngx_stream_ssl_module.c
++++ b/src/stream/ngx_stream_ssl_module.c
+@@ -521,12 +521,35 @@ ngx_stream_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
+         goto done;
+     }
+ 
++    sscf = ngx_stream_get_module_srv_conf(cscf->ctx, ngx_stream_ssl_module);
++
++#if (defined TLS1_3_VERSION                                                   \
++     && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL)
++
++    /*
++     * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+,
++     * but servername being negotiated in every TLSv1.3 handshake
++     * is only returned in OpenSSL 1.1.1+ as well
++     */
++
++    if (sscf->verify) {
++        const char  *hostname;
++
++        hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn));
++
++        if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) {
++            c->ssl->handshake_rejected = 1;
++            *ad = SSL_AD_ACCESS_DENIED;
++            return SSL_TLSEXT_ERR_ALERT_FATAL;
++        }
++    }
++
++#endif
++
+     s->srv_conf = cscf->ctx->srv_conf;
+ 
+     ngx_set_connection_log(c, cscf->error_log);
+ 
+-    sscf = ngx_stream_get_module_srv_conf(s, ngx_stream_ssl_module);
+-
+     if (sscf->ssl.ctx) {
+         if (SSL_set_SSL_CTX(ssl_conn, sscf->ssl.ctx) == NULL) {
+             goto error;